Skip to main content
capricorn80
capricorn80
New Member
September 19, 2018
Question

SSL VPN with Split tunneling

  • September 19, 2018
  • 1 reply
  • 18789 views

Hi!

 

I followed the follwing steps to create SSL vpn for specific group to have Split tunnling.

1. SSL-VPN Portals

Name: Dev

Tunnel Model: Enable

Enable Split tunneling

Routing address: Development-Servers

sourceIP: SSL-VPN-IP-Range

 

SSL Portal settings:

All the normal settings

 

Authentication/Portal mapping.

 

users/group: DeveloplmentGroup

RealM /Dev

Portal: Dev

 

Then I created policy:

 

SSL VPN to Dev-servers

 

incoming interface: SSL-VPN tunnetl interface (ssl.root)

outgoing interface: LAN

source: SSL-VPN-IP-Range, DeveloplmentGroup

service all.

 

NAT: Disabled.

 

So as per rule I need to create a rule for SSL VPN range policy going to internet.

Name: Dev vpn to internet

incoming internface: ssl.root

outgoinginterface: wan1

source: Development-Servers,

          Group: DeveloplmentGroup

Destination: ALL

service: ALL

Then I get error

Failed to save some changes: Destination address of split tunneling policy is invalid.     My VPN still works even if dont have this rule. One reason can be that I allow all traffic from inside to internet as I will create filter rules as this is new firewall. second I have another VPN with no split tunneling but it doesnt contain group -> DeveloplmentGroup.   Pretty confused.   Thanks if some one help in this.

 

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 19, 2018

    At the last policy, the source address "Development-Servers" is not on incoming interface "ssl.root". You need to have two separate policies for SSL VPN clients' and Development-Servers' internet paths.

    capricorn80
    capricorn80Author
    New Member
    September 19, 2018

    Ok Let me double check this.

     

    What about this.

    This is from SSL VPN guide and I am getting similar error.

     

    Do not use ALL as the destination address. If you do, you will see the “Destination address of Split Tunneling policy is invalid” error when you enable Split Tunneling.

     

    If I have split tunning ON then from SSL.root interface to WAN1 I cannot use ALL in destination. 

    How its possible because I dont know the Internet destination for users connecting to it.

    capricorn80
    capricorn80Author
    New Member
    September 20, 2018

    @Thoshi!

     

    My SSL vpn is working fine. I just checked with user account I created for this setup and I can go out to internet direct and can ping and RDP to the servers Development-Servers.

     

    I am not sure why I need more rules for Development to go out to the internet. These servers are sitting inside of LAN.

     

    If I understood correctly for SSL VPN you create two rules.

    1. SSL.root to Inside

    2. SSL.root to Internet

     

    Thanks.

    Terms & ConditionsAccessibility statement